xref: /aosp_15_r20/system/sepolicy/prebuilts/api/31.0/public/domain.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)

# Rules for all domains.

# Allow reaping by init.
allow domain init:process sigchld;

# Intra-domain accesses.
allow domain self:process {
    fork
    sigchld
    sigkill
    sigstop
    signull
    signal
    getsched
    setsched
    getsession
    getpgid
    setpgid
    getcap
    setcap
    getattr
    setrlimit
};
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
allow domain proc_net_type:dir search;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };

# Inherit or receive open files from others.
allow domain init:fd use;

userdebug_or_eng(`
  allow domain su:fd use;
  allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
  allow domain su:unix_dgram_socket sendto;

  allow { domain -init } su:binder { call transfer };

  # Running something like "pm dump com.android.bluetooth" requires
  # fifo writes
  allow domain su:fifo_file { write getattr };

  # allow "gdbserver --attach" to work for su.
  allow domain su:process sigchld;

  # Allow writing coredumps to /cores/*
  allow domain coredump_file:file create_file_perms;
  allow domain coredump_file:dir ra_dir_perms;
')

with_native_coverage(`
  # Allow writing coverage information to /data/misc/trace
  allow domain method_trace_data_file:dir create_dir_perms;
  allow domain method_trace_data_file:file create_file_perms;
')

# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
allow domain rootfs:lnk_file { read getattr };

# Device accesses.
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
allow domain dmabuf_heap_device:dir r_dir_perms;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;

# /dev/ashmem is being deprecated by means of constraining and eventually
# removing all "open" permissions. We preserve the other permissions.
allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
# This device is used by libcutils, which is accessible to everyone.
allow domain ashmem_libcutils_device:chr_file rw_file_perms;

# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;

# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };

# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;

allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain proc_random:dir r_dir_perms;
allow domain proc_random:file r_file_perms;
allow domain properties_device:dir { search getattr };
allow domain properties_serial:file r_file_perms;
allow domain property_info:file r_file_perms;

# Public readable properties
get_prop(domain, aaudio_config_prop)
get_prop(domain, arm64_memtag_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
get_prop(domain, build_vendor_prop)
get_prop(domain, debug_prop)
get_prop(domain, exported_config_prop)
get_prop(domain, exported_default_prop)
get_prop(domain, exported_dumpstate_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
get_prop(domain, property_service_version_prop)
get_prop(domain, soc_prop)
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
get_prop(domain, vts_config_prop)

# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
get_prop(domain, binder_cache_system_server_prop)
get_prop(domain, binder_cache_telephony_server_prop)

# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
allow domain property_contexts_file:file r_file_perms;

allow domain init:key search;
allow domain vold:key search;

# logd access
write_logd(domain)

# Directory/link file access for path resolution.
allow domain {
    system_file
    system_lib_file
    system_seccomp_policy_file
    system_security_cacerts_file
}:dir r_dir_perms;
allow domain system_file:lnk_file { getattr read };

# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
allow domain system_seccomp_policy_file:file r_file_perms;
# cacerts are accessible from public Java API.
allow domain system_security_cacerts_file:file r_file_perms;
allow domain system_group_file:file r_file_perms;
allow domain system_passwd_file:file r_file_perms;
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
allow domain system_linker_exec:lnk_file { read open getattr };
allow domain system_lib_file:lnk_file { read open getattr };

allow domain system_event_log_tags_file:file r_file_perms;

allow { appdomain coredomain } system_file:file { execute read open getattr map };

# Make sure system/vendor split doesn not affect non-treble
# devices
not_full_treble(`
    allow domain system_file:file { execute read open getattr map };
    allow domain vendor_file_type:dir { search getattr };
    allow domain vendor_file_type:file { execute read open getattr map };
    allow domain vendor_file_type:lnk_file { getattr read };
')

# All domains are allowed to open and read directories
# that contain HAL implementations (e.g. passthrough
# HALs require clients to have these permissions)
allow domain vendor_hal_file:dir r_dir_perms;

# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir r_dir_perms;
allow {
    domain
    -coredomain # access is explicitly granted to individual coredomains
} same_process_hal_file:file { execute read open getattr map };

# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
allow domain vndk_sp_file:dir r_dir_perms;
allow domain vndk_sp_file:file { execute read open getattr map };

# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
allow domain vendor_configs_file:file { read open getattr map };

full_treble_only(`
    # Allow all domains to be able to follow /system/vendor and/or
    # /vendor/odm symlinks.
    allow domain vendor_file_type:lnk_file { getattr open read };

    # This is required to be able to search & read /vendor/lib64
    # in order to lookup vendor libraries. The execute permission
    # for coredomains is granted *only* for same process HALs
    allow domain vendor_file:dir { getattr search };

    # Allow reading and executing out of /vendor to all vendor domains
    allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
    allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
    allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
')

# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };

# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
# timezone related information.
# This directory is considered to be a VNDK-stable
allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;

# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)

r_dir_file(domain, sysfs_usb);

# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
allow domain sysfs_transparent_hugepage:dir search;
allow domain sysfs_transparent_hugepage:file r_file_perms;

# files under /data.
not_full_treble(`
  allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_root_file. Vendor components need the search
# permission on system_data_root_file for path traversal to /data/vendor.
allow domain system_data_root_file:dir { search getattr } ;
allow domain system_data_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };

# required by the dynamic linker
allow domain proc:lnk_file { getattr read };

# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;

# /dev/cpu_variant:.*
allow domain dev_cpu_variant:file r_file_perms;

# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
allow domain proc_perf:file r_file_perms;

# toybox loads libselinux which stats /sys/fs/selinux/
allow domain selinuxfs:dir search;
allow domain selinuxfs:file getattr;
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;

# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search;
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;

# Linux lockdown mode offers coarse-grained definitions for access controls.
# The "confidentiality" level detects access to tracefs or the perf subsystem.
# This overlaps with more precise declarations in Android's policy. The
# debugfs_trace_marker above is an example in which all processes should have
# some access to tracefs. Therefore, allow all domains to access this level.
# The "integrity" level is however enforced.
allow domain self:lockdown confidentiality;

# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;

# Restrict all domains to an allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
  ioctl unpriv_unix_sock_ioctls;

# Restrict PTYs to only allowed ioctls.
# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;

# All domains must clearly enumerate what ioctls they use
# on filesystem objects (plain files, directories, symbolic links,
# named pipes, and named sockets). We start off with a safe set.
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };

# If a domain has ioctl access to tun_device, it must clearly enumerate the
# ioctls used. Safe defaults are listed below.
allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };

# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };

# If a domain has access to perform an ioctl on a block device, allow these
# very common, benign ioctls
allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };

# Support sqlite F2FS specific optimizations
# ioctl permission on the specific file type is still required
# TODO: consider only compiling these rules if we know the
# /data partition is F2FS
allowxperm domain { file_type sdcard_type }:file ioctl {
  F2FS_IOC_ABORT_VOLATILE_WRITE
  F2FS_IOC_COMMIT_ATOMIC_WRITE
  F2FS_IOC_GET_FEATURES
  F2FS_IOC_GET_PIN_FILE
  F2FS_IOC_SET_PIN_FILE
  F2FS_IOC_START_ATOMIC_WRITE
};

# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } vndservice_manager_type:service_manager { add find };

# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
with_asan(`allow domain system_data_file:dir getattr;')
# Under ASAN, /system/asan.options needs to be globally accessible.
with_asan(`allow domain system_asan_options_file:file r_file_perms;')

# read APEX dir and stat any symlink pointing to APEXs.
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;

###
### neverallow rules
###

# All ioctls on file-like objects (except chr_file and blk_file) and
# sockets must be restricted to an allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };

# b/68014825 and https://android-review.googlesource.com/516535
# rfc6093 says that processes should not use the TCP urgent mechanism
neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };

# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * devpts:chr_file ioctl TIOCSTI;

# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;

# Limit device node creation to these allowed domains.
neverallow {
  domain
  -kernel
  -init
  -ueventd
  -vold
} self:global_capability_class_set mknod;

# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;

# No domain needs mac_override as it is unused by SELinux.
neverallow * self:global_capability2_class_set mac_override;

# Disallow attempts to set contexts not defined in current policy
# This helps guarantee that unknown or dangerous contents will not ever
# be set.
neverallow * self:global_capability2_class_set mac_admin;

# Once the policy has been loaded there shall be none to modify the policy.
# It is sealed.
neverallow * kernel:security load_policy;

# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
neverallow * kernel:security setenforce;
neverallow { domain -kernel } kernel:security setcheckreqprot;

# No booleans in AOSP policy, so no need to ever set them.
neverallow * kernel:security setbool;

# Adjusting the AVC cache threshold.
# Not presently allowed to anything in policy, but possibly something
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;

# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
  domain
  -shell # For CTS, restricted to just getattr in shell.te
  -ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
  domain
  -shell # stat of /dev, getattr only
  -ueventd
} keychord_device:chr_file *;

# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;

# The dynamic linker always calls access(2) on the path. Don't generate SElinux
# denials since the linker does not actually access the path in case the path
# does not exist or isn't accessible for the process.
dontaudit domain postinstall_mnt_dir:dir audit_access;

#Ensure that nothing in userspace can access /dev/port
neverallow {
  domain
  -shell # Shell user should not have any abilities outside of getattr
  -ueventd
} port_device:chr_file *;
neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };

# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
neverallow * vendor_init:binder *;

# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };

# Do not allow renaming of block files or character files
# Ability to do so can lead to possible use in an exploit chain
# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
neverallow * *:{ blk_file chr_file } rename;

# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };

# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;

# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;

neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;

# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };

# Nobody should be doing writes to /system & /vendor
# These partitions are intended to be read-only and must never be
# modified. Doing so would violate important Android security guarantees
# and invalidate dm-verity signatures.
neverallow {
    domain
    with_asan(`-asan_extract')
    recovery_only(`userdebug_or_eng(`-fastbootd')')
} {
    system_file_type
    vendor_file_type
    exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };

neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;

# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;

# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };

# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
neverallow * {fs_type -contextmount_type}:filesystem relabelto;

# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
neverallow * contextmount_type:dir_file_class_set
    { create setattr relabelfrom relabelto append link rename };
neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };

# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
# system_app_service rather than the generic type.
# New service_types are defined in {,hw,vnd}service.te and new mappings
# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager *;
neverallow * default_android_vndservice:service_manager *;
neverallow * default_android_hwservice:hwservice_manager *;

# Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security
# decisions are expressed in SELinux policy. However, it's unclear whether this
# lookup has security implications. If it doesn't, hwservicemanager should be
# modified to not offer this lookup.
# This rule can be removed if hwservicemanager is modified to not permit these
# lookups.
neverallow * hidl_base_hwservice:hwservice_manager find;

# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } vndk_prop:property_service set;

compatible_property_only(`
    neverallow { domain -init } mmc_prop:property_service set;
    neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
    neverallow { domain -init } exported_secure_prop:property_service set;
    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
    neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
    neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
')

compatible_property_only(`
    neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
    neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
')

neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;

# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
neverallow {
  domain
  -adbd
  -dumpstate
  -fastbootd
  -hal_camera_server
  -hal_cas_server
  -hal_drm_server
  userdebug_or_eng(`-incidentd')
  -init
  -mediadrmserver
  -mediaserver
  -recovery
  -shell
  -system_server
  -vendor_init
} serialno_prop:file r_file_perms;

neverallow {
  domain
  -init
  -recovery
  -system_server
  -shell # Shell is further restricted in shell.te
  -ueventd # Further restricted in ueventd.te
} frp_block_device:blk_file no_rw_file_perms;

# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
neverallow {
  domain
  -init
  -recovery
  -vold
  -e2fs
  -fsck
  -fastbootd
} metadata_block_device:blk_file { append link rename write open read ioctl lock };

# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
neverallow {
  domain
  -fastbootd
  userdebug_or_eng(`-fsck')
  userdebug_or_eng(`-init')
  -recovery
  -update_engine
} system_block_device:blk_file { write append };

# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
# this partition for testing purposes.
neverallow {
  domain
  userdebug_or_eng(`-domain') # exclude debuggable builds
  -fastbootd
  -hal_bootctl_server
  -init
  -uncrypt
  -update_engine
  -vendor_init
  -vendor_misc_writer
  -vold
  -recovery
  -ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };

# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;

# system services cant add vendor services
neverallow {
  coredomain
} vendor_service:service_manager add;

full_treble_only(`
  # vendor services cant add system services
  neverallow {
    domain
    -coredomain
  } {
    service_manager_type
    -vendor_service
  }:service_manager add;
')

full_treble_only(`
  # Vendor apps are permited to use only stable public services. If they were to use arbitrary
  # services which can change any time framework/core is updated, breakage is likely.
  #
  # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
  neverallow {
    appdomain
    -coredomain
  } {
    service_manager_type

    -app_api_service
    -vendor_service # must be @VintfStability to be used by an app
    -ephemeral_app_api_service

    -apc_service
    -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
    -cameraserver_service
    -drmserver_service
    -credstore_service
    -keystore_maintenance_service
    -keystore_service
    -legacykeystore_service
    -mediadrmserver_service
    -mediaextractor_service
    -mediametrics_service
    -mediaserver_service
    -nfc_service
    -radio_service
    -virtual_touchpad_service
    -vr_hwc_service
    -vr_manager_service
    userdebug_or_eng(`-hal_face_service')
  }:service_manager find;
')

# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
full_treble_only(`
  neverallow {
    coredomain
    -shell
    userdebug_or_eng(`-su')
    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
  } vndbinder_device:chr_file rw_file_perms;
')
full_treble_only(`
  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
')
full_treble_only(`
  neverallow {
    coredomain
    -shell
    userdebug_or_eng(`-su')
  } vndservice_manager_type:service_manager *;
')
full_treble_only(`
  neverallow {
    coredomain
    -shell
    userdebug_or_eng(`-su')
  } vndservicemanager:binder *;
')

# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
  # Most general rules first, more specific rules below.

  # Core domains are not permitted to initiate communications to vendor domain sockets.
  # We are not restricting the use of already established sockets because it is fine for a process
  # to obtain an already established socket via some public/official/stable API and then exchange
  # data with its peer over that socket. The wire format in this scenario is dicatated by the API
  # and thus does not break the core-vendor separation.
full_treble_only(`
  neverallow_establish_socket_comms({
    coredomain
    -init
    -adbd
  }, {
    domain
    -coredomain
    -socket_between_core_and_vendor_violators
  });
')

  # Vendor domains are not permitted to initiate create/open sockets owned by core domains
full_treble_only(`
  neverallow {
    domain
    -coredomain
    -appdomain # appdomain restrictions below
    -data_between_core_and_vendor_violators # b/70393317
    -socket_between_core_and_vendor_violators
    -vendor_init
  } {
    coredomain_socket
    core_data_file_type
    unlabeled # used only by core domains
  }:sock_file ~{ append getattr ioctl read write };
')
full_treble_only(`
  neverallow {
    appdomain
    -coredomain
  } {
    coredomain_socket
    unlabeled # used only by core domains
    core_data_file_type
    -app_data_file
    -privapp_data_file
    -pdx_endpoint_socket_type # used by VR layer
    -pdx_channel_socket_type # used by VR layer
  }:sock_file ~{ append getattr ioctl read write };
')

  # Core domains are not permitted to create/open sockets owned by vendor domains
full_treble_only(`
  neverallow {
    coredomain
    -init
    -ueventd
    -socket_between_core_and_vendor_violators
  } {
    file_type
    dev_type
    -coredomain_socket
    -core_data_file_type
    -app_data_file_type
    -unlabeled
  }:sock_file ~{ append getattr ioctl read write };
')

# On TREBLE devices, vendor and system components are only allowed to share
# files by passing open FDs over hwbinder. Ban all directory access and all file
# accesses other than what can be applied to an open FD such as
# ioctl/stat/read/write/append. This is enforced by segregating /data.
# Vendor domains may directly access file in /data/vendor by path, but may only
# access files outside of /data/vendor via an open FD passed over hwbinder.
# Likewise, core domains may only directly access files outside /data/vendor by
# path and files in /data/vendor by open FD.
full_treble_only(`
  # only coredomains may only access core_data_file_type, particularly not
  # /data/vendor
  neverallow {
    coredomain
    -appdomain # TODO(b/34980020) remove exemption for appdomain
    -data_between_core_and_vendor_violators
    -init
    -vold_prepare_subdirs
  } {
    data_file_type
    -core_data_file_type
    -app_data_file_type
  }:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
  neverallow {
    coredomain
    -appdomain # TODO(b/34980020) remove exemption for appdomain
    -data_between_core_and_vendor_violators
    -init
    -vold_prepare_subdirs
    } {
      data_file_type
      -core_data_file_type
      -app_data_file_type
      # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
      # neverallow. Currently only getattr and search are allowed.
      -vendor_data_file
    }:dir *;

')
full_treble_only(`
  # vendor domains may only access files in /data/vendor, never core_data_file_types
  neverallow {
    domain
    -appdomain # TODO(b/34980020) remove exemption for appdomain
    -coredomain
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
    -vendor_init
  } {
    core_data_file_type
    # libc includes functions like mktime and localtime which attempt to access
    # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
    # These functions are considered vndk-stable and thus must be allowed for
    # all processes.
    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
  }:file_class_set ~{ append getattr ioctl read write map };
  neverallow {
    vendor_init
    -data_between_core_and_vendor_violators
  } {
    core_data_file_type
    -unencrypted_data_file
    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
  }:file_class_set ~{ append getattr ioctl read write map };
  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
  # The vendor init binary lives on the system partition so there is not a concern with stability.
  neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
')
full_treble_only(`
  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
  neverallow {
    domain
    -appdomain # TODO(b/34980020) remove exemption for appdomain
    -coredomain
    -data_between_core_and_vendor_violators
    -vendor_init
  } {
    core_data_file_type
    -system_data_file # default label for files on /data. Covered below...
    -system_data_root_file
    -vendor_data_file
    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
  }:dir *;
  neverallow {
    vendor_init
    -data_between_core_and_vendor_violators
  } {
    core_data_file_type
    -unencrypted_data_file
    -system_data_file
    -system_data_root_file
    -vendor_data_file
    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
  }:dir *;
  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
  # The vendor init binary lives on the system partition so there is not a concern with stability.
  neverallow vendor_init unencrypted_data_file:dir ~search;
')
full_treble_only(`
  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
  neverallow {
    domain
    -appdomain # TODO(b/34980020) remove exemption for appdomain
    -coredomain
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
    } {
      system_data_file # default label for files on /data. Covered below
    }:dir ~{ getattr search };
')

full_treble_only(`
  #  coredomains may not access dirs in /data/vendor.
  neverallow {
    coredomain
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
    -init
    -vold # vold creates per-user storage for both system and vendor
    -vold_prepare_subdirs
    } {
      vendor_data_file # default label for files on /data. Covered below
    }:dir ~{ getattr search };
')

full_treble_only(`
  #  coredomains may not access dirs in /data/vendor.
  neverallow {
    coredomain
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
    -init
    } {
      vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
    }:file_class_set ~{ append getattr ioctl read write map };
')

full_treble_only(`
    # Non-vendor domains are not allowed to file execute shell
    # from vendor
    neverallow {
        coredomain
        -init
        -shell
        -ueventd
    } vendor_shell_exec:file { execute execute_no_trans };
')

full_treble_only(`
    # Do not allow vendor components to execute files from system
    # except for the ones allowed here.
    neverallow {
        domain
        -coredomain
        -appdomain
        -vendor_executes_system_violators
        -vendor_init
    } {
        system_file_type
        -system_lib_file
        -system_linker_exec
        -crash_dump_exec
        -iorap_prefetcherd_exec
        -iorap_inode2filename_exec
        -netutils_wrapper_exec
        userdebug_or_eng(`-tcpdump_exec')
    }:file { entrypoint execute execute_no_trans };
')

full_treble_only(`
    # Do not allow coredomain to access entrypoint for files other
    # than system_file_type and postinstall_file
    neverallow coredomain {
        file_type
        -system_file_type
        -postinstall_file
    }:file entrypoint;
    # Do not allow domains other than coredomain to access entrypoint
    # for anything but vendor_file_type and init_exec for vendor_init.
    neverallow { domain -coredomain } {
        file_type
        -vendor_file_type
        -init_exec
    }:file entrypoint;
')

full_treble_only(`
    # Do not allow system components to execute files from vendor
    # except for the ones allowed here.
    neverallow {
      coredomain
      -init
      -shell
      -system_executes_vendor_violators
      -ueventd
    } {
      vendor_file_type
      -same_process_hal_file
      -vndk_sp_file
      -vendor_app_file
      -vendor_public_framework_file
      -vendor_public_lib_file
    }:file execute;
')

full_treble_only(`
    neverallow {
      coredomain
      -shell
      -system_executes_vendor_violators
    } {
      vendor_file_type
      -same_process_hal_file
    }:file execute_no_trans;
')

full_treble_only(`
  # Do not allow vendor components access to /system files except for the
  # ones allowed here.
  neverallow {
    domain
    -appdomain
    -coredomain
    -vendor_executes_system_violators
    # vendor_init needs access to init_exec for domain transition. vendor_init
    # neverallows are covered in public/vendor_init.te
    -vendor_init
  } {
    system_file_type
    -crash_dump_exec
    -file_contexts_file
    -iorap_inode2filename_exec
    -netutils_wrapper_exec
    -property_contexts_file
    -system_event_log_tags_file
    -system_group_file
    -system_lib_file
    with_asan(`-system_asan_options_file')
    -system_linker_exec
    -system_linker_config_file
    -system_passwd_file
    -system_seccomp_policy_file
    -system_security_cacerts_file
    -system_zoneinfo_file
    -task_profiles_api_file
    -task_profiles_file
    userdebug_or_eng(`-tcpdump_exec')
  }:file *;
')

# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;

neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { domain -system_server } app_zygote:sock_file write;

neverallow {
  domain
  -tombstoned
  -crash_dump
  -dumpstate
  -incidentd
  -system_server

  # Processes that can't exec crash_dump
  -hal_codec2_server
  -hal_omx_server
  -mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;

# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;

# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
neverallow { domain -init -system_server } heapdump_data_file:file read;

# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
# kernel resource leakage.
#
# For example, there is no way to automatically release a SysV semaphore
# allocated in the kernel when:
#
# - a buggy or malicious process exits
# - a non-buggy and non-malicious process crashes or is explicitly killed.
#
# Killing processes automatically to make room for new ones is an
# important part of Android's application lifecycle implementation. This means
# that, even assuming only non-buggy and non-malicious code, it is very likely
# that over time, the kernel global tables used to implement SysV IPCs will fill
# up.
neverallow * *:{ shm sem msg msgq } *;

# Do not mount on top of symlinks, fifos, or sockets.
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;

# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;

# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
neverallow * {
  file_type
  -apk_data_file
  -app_data_file
  -asec_public_file
}:file execmod;

# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
neverallow * self:process { execstack execheap };

# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;

neverallow { domain -init } proc:{ file dir } mounton;

# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
# written on domain are applied to all processes.
# This is achieved by ensuring that it is impossible to transition
# from a domain to a non-domain type and vice versa.
# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
neverallow ~domain domain:process { transition dyntransition };

#
# Only system_app and system_server should be creating or writing
# their files. The proper way to share files is to setup
# type transitions to a more specific type or assigning a type
# to its parent directory via a file_contexts entry.
# Example type transition:
#  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
#
neverallow {
  domain
  -system_server
  -system_app
  -init
  -toolbox # TODO(b/141108496) We want to remove toolbox
  -installd # for relabelfrom and unlink, check for this in explicit neverallow
  -vold_prepare_subdirs # For unlink
  with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };

# respect system_app sandboxes
neverallow {
  domain
  -appdomain # finer-grained rules for appdomain are listed below
  -system_server #populate com.android.providers.settings/databases/settings.db.
  -installd # creation of app sandbox
  -iorap_inode2filename
  -traced_probes # resolve inodes for i/o tracing.
                 # only needs open and read, the rest is neverallow in
                 # traced_probes.te.
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
  isolated_app
  untrusted_app_all # finer-grained rules for appdomain are listed below
  ephemeral_app
  priv_app
} system_app_data_file:dir_file_class_set { create unlink open };

#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
# script with differing privilege, define a domain and set up a transition.
#
neverallow {
  domain
  -adbd
  -init
  -runas
  -zygote
} shell:process { transition dyntransition };

# Only domains spawned from zygote, runas and simpleperf_app_runner may have
# the appdomain attribute. simpleperf is excluded as a domain transitioned to
# when running an app-scoped profiling session.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
  appdomain -shell -simpleperf userdebug_or_eng(`-su')
}:process { transition dyntransition };

# Minimize read access to shell- or app-writable symlinks.
# This is to prevent malicious symlink attacks.
neverallow {
  domain
  -appdomain
  -installd
} { app_data_file privapp_data_file }:lnk_file read;

neverallow {
  domain
  -shell
  userdebug_or_eng(`-uncrypt')
  -installd
} shell_data_file:lnk_file read;

# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
neverallow {
  domain
  -adbd
  -dumpstate
  -installd
  -init
  -shell
  -vold
} shell_data_file:dir no_w_dir_perms;

neverallow {
  domain
  -adbd
  -appdomain
  -dumpstate
  -init
  -installd
  -iorap_inode2filename
  -simpleperf_app_runner
  -system_server # why?
  userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };

# Same as above for /data/local/tmp files. We allow shell files
# to be passed around by file descriptor, but not directly opened.
neverallow {
  domain
  -adbd
  -appdomain
  -dumpstate
  -installd
  userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;

# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
    servicemanager
    vndservicemanager
    }:service_manager list;

# hwservicemanager is the only process which handles hw list requests
neverallow * ~{
    hwservicemanager
    }:hwservice_manager list;

# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };

# Prevent assigning non property types to properties
# TODO - rework this: neverallow * ~property_type:property_service set;

# Domain types should never be assigned to any files other
# than the /proc/pid files associated with a process. The
# executable file used to enter a domain should be labeled
# with its own _exec type, not with the domain type.
# Conventionally, this looks something like:
# $ cat mydaemon.te
# type mydaemon, domain;
# type mydaemon_exec, exec_type, file_type;
# init_daemon_domain(mydaemon)
# $ grep mydaemon file_contexts
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
neverallow * domain:file { execute execute_no_trans entrypoint };

# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix dumpstate
neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;

# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };

# Don't allow access to the FUSE control filesystem, except to vold and init's
neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;

# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
  domain
  -installd
  -profman
} profman_exec:file no_x_file_perms;

# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;

# Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted.
neverallow * self:global_capability_class_set setfcap;

# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;

# Do not permit non-core domains to register HwBinder services which are
# guaranteed to be provided by core domains only.
neverallow ~coredomain coredomain_hwservice:hwservice_manager add;

# Do not permit the registeration of HwBinder services which are guaranteed to
# be passthrough only (i.e., run in the process of their clients instead of a
# separate server process).
neverallow * same_process_hwservice:hwservice_manager add;

# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.

# These filesystems don't allow files or directories to be created, so the permission
# to do so should never be granted.
neverallow domain {
  proc_type
  sysfs_type
}:dir { add_name create link remove_name rename reparent rmdir write };

# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create;

dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
dontaudit domain cgroup_v2:file create;

# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
userdebug_or_eng(`
  dontaudit domain proc_type:dir add_name;
  dontaudit domain sysfs_type:dir add_name;
  dontaudit domain proc_type:file create;
  dontaudit domain sysfs_type:file create;
')

# Platform must not have access to /mnt/vendor.
neverallow {
  coredomain
  -init
  -ueventd
  -vold
  -system_writes_mnt_vendor_violators
} mnt_vendor_file:dir *;

# Only apps are allowed access to vendor public libraries.
full_treble_only(`
  neverallow {
    coredomain
    -appdomain
  } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
')

# Vendor domian must not have access to /mnt/product.
neverallow {
  domain
  -coredomain
} mnt_product_file:dir *;

# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
full_treble_only(`
  neverallow {
    coredomain
    -healthd
    -shell
    # Generate uevents for health info
    -ueventd
    # Recovery uses health HAL passthrough implementation.
    -recovery
    # Charger uses health HAL passthrough implementation.
    -charger
    # TODO(b/110891300): remove this exception
    -incidentd
  } sysfs_batteryinfo:file { open read };
')

neverallow {
  domain
  -hal_codec2_server
  -hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;

# Only apps targetting < Q are allowed to open /dev/ashmem directly.
# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
neverallow {
  domain
  -ephemeral_app # We don't distinguish ephemeral apps based on target API.
  -untrusted_app_25
  -untrusted_app_27
} ashmem_device:chr_file open;

neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;

# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;